The debate over the applicability or non-applicability of international law to cyber war and the need for a cyber-specific international treaty might be irrelevant. Both camps, pro and con, argue about the need for cyber war to have the Law of Armed Conflict or some new international legal project properly cover the cyber domain. Both camps, however, misread how the structure of the cyber domain precludes strategically ‘piggy-backing’ on conventional norms of war. International laws on conventional war are effective because of the ability to differentiate between civilian and military sectors. There is a civilian/military ambiguity in the cyber domain that makes such differentiation unlikely if not impossible well into the future.
Thus the folly of sanitized cyber war: with the focus on establishing legitimate targets and setting limitations on allowable action, the United States and its allies expose themselves to vulnerabilities while engaging a futile endeavor that does not lead to improved cyber control. The effort to establish cyber rules akin to conventional norms is fruitless as these rules are not enforceable or logical. They will simply handcuff lawful states. This means greater effort should be spent on creating preemptive strategy that accepts the civilian/military ambiguity problem. This tendency of scholars and policymakers to strive for ‘sanitized’ cyber war by constraining targets during operations means cyber strategy remains absent true deterring power.
International norms established with the Geneva and Hague conventions were meant to be explicit lines of protection for civilian populations when states engaged in war. That respect and preservation of civilian life is now held to be sacrosanct, regardless of what form or delivery method war may take. As such, there is an expectation that cyberspace can be brought under the discipline of conventional rules of war. There is a problem, however: conventional war has the distinct advantage, historically, of being fairly explicit over target classification. Most military networks that would initiate and enact a cyber-attack depend upon and work within countless numbers of civilian networks. In addition, many of the actors that are part of the planning, initiation, and deployment of cyber-attacks are not necessarily formal military but civilian employees of government agencies. In other words, the world of cyber conflict and cyber war is not a world that can achieve such explicit classification. In fact, future trends only show this fusion growing deeper and tighter in time. As such, any attempt to introduce norms and rules that are predicated upon knowledgeable differentiation will likely end up confused and ineffective.
Without addressing this ambiguity problem states find themselves facing a quandary: where are the lines of distinction between civilian and military drawn? Perhaps the biggest dilemma, therefore, is not the problem of figuring out attribution (who was the true trigger man?) but rather this futile attempt to clear up the inherent and purposeful ambiguity that characterizes the critical infrastructure used to house, develop, and utilize a state’s cyber capabilities. Up to now questions have focused more around comparable lethality, damage estimates, and the aforementioned attribution problem. To a certain extent, however, all of these legitimate problems are enveloped by the civilian/military ambiguity issue. The inability to establish that separation means lethality could potentially be more deadly by being more than just military casualties, damage could be more devastating by being more than just military facilities, and attribution might not even be relevant: defining the WHO of an attack is not a resolution of the problem if the HOW behind the WHO is inextricably fused between government, military, and civilian properties and people. In other words, many assume figuring out the WHO in cyber war will solve most problems. The ambiguity assertion reminds everyone to be careful what is wished for: in cyber war the WHO will never be conveniently distinct because of the HOW.
The failure to address this structural riddle has been matched by an over-emphasis on agency. This manifests itself namely in the focus on limiting and controlling potential cyber actions from adversarial states. James Lewis of CSIS emphasizes how a state can reduce risks for everyone by imposing common standards, like moving from the Wild West to the rule of law. Eugene Spafford concurred, citing how cyber security is a process, not a patch, requiring continual investment for the long-term as well as the quick fix, without which states will always be applying solutions to problems too late. These are some of the brightest and most respected names in the cyber discipline. Their warnings are not irrelevant but the emphasis on state actor agency, while failing to recognize the impact and importance of inherent cyber structure, leaves a vulnerability gap in cyber strategic thinking. Indeed, the contemporary failure to create explicit norm coordination should be seen as a demand to consider new strategy that can accept this structural incompatibility as inherent and not something to ‘overcome.’ For structural ambiguity is not only intrinsic: states are purposely deepening the ambiguity for its strategic advantage and economic efficiency. States, therefore, should not focus on how to force a distinct civilian/military separation but should rather develop new strategic thinking that accepts the ambiguity problem as a logistical reality that must be accounted for.
The United States military has not improved the situation. Gen. Alexander of US Cyber Command stated that in debating the rules of conflict in cyber operations the United States was trying to do the job right. Those debates, however, constantly oscillate back-and-forth between positions that do not address the primary innate structural concerns of the cyber domain. Consequently, the military has spent half a dozen years promising imminent progress that does not materialize. The Pentagon’s official report was itself described as ‘ducking’ a series of important basic fundamental questions, including defining such basic terms as ‘war,’ ‘force,’ and ‘appropriate response.’ This is pointed out not to poke fun at the military. Quite to the contrary, this piece makes the argument that given the reluctance of all parties concerned to engage the ambiguity assertion, with an eye to develop new strategy that embraces it rather than hopelessly using old strategy to overcome it, the military has had no real chance of making substantive progress in its effort to concisely define the parameters of cyber action.
This structural issue is more than just semantics. It literally covers who engages cyber war, what can be destroyed in cyber war, who can be a victim during cyber war, even the philosophical and ethical questions meant to be asked about cyber war itself. This piece is an entreaty to move away from unobtainable goals and idealistic dreams in a futile hope to create sanitized cyber war. Cyber war will never be sanitized. Consequently, contemporary strategic thinking about the cyber domain must start treating the ambiguity assertion with the same gravity that the more famous attribution problem receives.
Dr. Matthew Crosston is Professor of Political Science and Director of the International Security and Intelligence Studies program at Bellevue University, exclusively for the online magazine “New Eastern Outlook”